The data breaches of yesteryear are becoming the cyber heists of today, making for what’s shaping up to be a good year for thieves and not so good for credit unions and those who insure their losses.
CUNA Mutual says a benchmarking survey of client credit unions shows a majority reporting an increase in fraud losses over 2016.
“For most, these are historic highs, surpassing the full year 2016 losses even though we’re only halfway through 2017,” says risk consultant Robert Jarosinski.
According to Jarosinski, cyber thieves are now using data stolen in the past couple of years to create fake credit cards and commit digital theft alike. They’re using information often available on the cheap in the netherworld of the internet.
The story doesn’t end here. Learn more about cybersecurity in What Lurks In The Dark Net only on CreditUnions.com.
Hackers also are using those digital black markets to buy the tools needed for other dirty deeds, including DDoS attacks that swarm websites with nonsense requests that can bring down the operation, inspired by sheer malice or to distract from other kinds of attacks going on inside that network at the same time.
“We’re seeing people buying a lot of server capacity and trying to flood websites in unsophisticated fraud attacks,” says Ram Annasami with web traffic and security specialists Cloudflare in San Francisco, CA.
“Their motives are never completely clear, but we are seeing ransom notes at times,” Annasami says. “Of course, our recommendation is to never pay them.”
And to aggravate the well-publicized ransomware problem, there’s even less honor now among thieves, according to Heather McCalman, credit union council manager for the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Honor Among Thieves?
“When ransomware first came out there was a kind of personal integrity to it,” McCalman says. “You paid them their bitcoins and they provided the encryption keys. Now there seems to be other groups moving in, and there’s no guarantee you’ll get the encryption keys or if they can even do it.”
Of course, that vulnerability begins with malware getting inside the infrastructure in the first place.
“Credit unions are strong around their network perimeter but are not as focused on their internal traffic and their employees’ clicking behavior,” says Bob Thibodeaux, chief information security officer at DefenseStorm, a Seattle, WA-based provider of cybersecurity solutions. “They can train, test, and repeat, but it only takes one click for malicious code to start moving internally within a network, often lying dormant for some time.”
3 Ways To Stay Safe
Federal regulators have made it clear that cybersecurity is the responsibility of senior leaders.
So, how can leadership teams – to include boards and the C-suite – arm themselves?
By using these tools and guidelines:
FFIEC Cybersecurity Assessment Tool — The Federal Financial Institutions Examination Council, a consortium of banking agencies that includes the NCUA and FDIC, lays out enterprise-wide expectations in this 59-page PDF.
Overview for Chief Executive Officers and Boards of Directors — The FFIEC also offers this five-page primer.
Cybersecurity Framework — A set of industry standards and best practices put forth by the National Institute of Standards and Technology to help organizations manage cybersecurity.
“The NCUA has adopted the FFIECE Cybersecurity Assessment Tool as a resource to measure a credit union’s ability to identify risk and determine its level of cybersecurity maturity,” says Bob Thibodeaux, chief information security officer at DefenseStorm. “Each of these tools, whether liked or loathed, are in place to help financial institutions remain focused on consistent challenges.”
How Low Can They Go?
It used to all be called “phishing,” but now there’s a sub-specialty for cyberthieves: the business email compromise (BEC).
A typical use for BECs might be using inside information to send a convincing spoof email to the wire transfer person inside a credit union, one that purports to come from the CFO or CEO.
Another focuses on members, rather than the credit union itself. That’s the case with targeted attacks on real estate closings, in which the fraudsters finagle things well enough to get the settlement funds wired to them, often to the tune of hundreds of thousands of dollars.
“BECs have become enough of a problem that the FBI has been issuing warnings about them,” says McCalman, the FS-ISAC credit union council manager.
One way to avoid problems? Don’t use Gmail addresses for business accounts, McCalman advises. It’s not unusual for small lawyer and title offices to use those, but they can be vulnerable to hackers.
And be alert. Hackers watch email threads for weeks and then pounce when the time is right, typically right at the close. Be alert to changes in wiring instructions, and when checking them, don’t use the phone number included on the email, McCalman advises.
“Prevention begins with awareness,” she says.
How Deep Can They Go?
Malware and probing can come through unexpected avenues, too, especially as the Internet of Things takes hold, connecting everything from a mobile app to a branch HVAC system to an entire electrical grid. The integrating software, as well as devices brought in by vendors who are connecting them to a credit union’s internal network, can all be vulnerable.
“That’s how it starts,” says Lori Lucas, manager of IT compliance programs at PSCU, the St. Petersburg, FL-based card processing CUSO. “Then the hackers use that malware to see how deep they can get into the network.”
Lucas says segmenting a network by building virtual barriers between systems ― making hackers “hop over multiple walls” ― is important, as is encrypting data. PSCU, which adheres to PCI card standards, requires measures such as these.
Because cybersecurity is both a people and process problem, awareness and solutions need to be continuous and embedded into the corporate culture. That, of course, begins at the top, in the C-suite and boardroom.
“The greatest threats IT and IS departments must communicate to leadership and the board are concepts that they understand, like likability, reputational risk, damaged member relationships, lawsuits, and public relations nightmares,” says Thibodeaux at DefenseStorm.